Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Don't allow serialization of firestore settings #1742

Merged
merged 3 commits into from
Aug 8, 2022

Conversation

abhishekwebcode
Copy link
Contributor

When logging any firestore object like WriteBatch,Transaction,etc the settings object also gets logged / exposed
This can be seen by running JSON.stringify on any firestore object even a document reference
Many developers log firestore objects to help them debug testing/prod issues, this leaking of entire firestore key via this._settings is a bad practice as per me
We can also use Object.defineProperty to make it non-enumerable or any other technique that you like

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

@abhishekwebcode abhishekwebcode requested review from a team as code owners June 30, 2022 08:29
@google-cla
Copy link

google-cla bot commented Jun 30, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: firestore Issues related to the googleapis/nodejs-firestore API. labels Jun 30, 2022
@ehsannas
Copy link
Contributor

ehsannas commented Jul 4, 2022

Thanks for your contribution @abhishekwebcode . If I understand correctly, you are concerned about users seeing the name of your Firestore host from the Settings object, is that correct?

@abhishekwebcode
Copy link
Contributor Author

@ehsannas no i am worried about developers with log access seeing the firestore private key ( the one that initialises firebase-admin library nodejs )

@ehsannas
Copy link
Contributor

@ehsannas ehsannas self-requested a review July 11, 2022 15:13
@ehsannas ehsannas self-assigned this Jul 11, 2022
@abhishekwebcode
Copy link
Contributor Author

hey @ehsannas i have signed the agreement now

abhishekwebcode and others added 2 commits August 4, 2022 15:48
When logging any firestore object like WriteBatch,Transaction,etc the settings object also gets logged / exposed
This can be seen by running JSON.stringify on any firestore object even a document reference
Many developers log firestore objects to help them debug testing/prod issues, this leaking of entire firestore key via this._settings is a bad practice as per me
We can also use Object.defineProperty to make it non-enumerable or any other technique that you like
@ehsannas ehsannas changed the title Dont allow serialization of firestore settings fix: Don't allow serialization of firestore settings Aug 4, 2022
@ehsannas ehsannas added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 4, 2022
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 4, 2022
@ehsannas ehsannas assigned MarkDuckworth and unassigned ehsannas Aug 4, 2022
@ehsannas ehsannas requested a review from MarkDuckworth August 4, 2022 21:50
@MarkDuckworth
Copy link
Contributor

There could be scenarios where the serialized settings object is useful. Could we a) make this behavior optional, b) redact only the key, or c) make the key non-enumerable?

@ehsannas
Copy link
Contributor

ehsannas commented Aug 5, 2022

Thanks for the suggestion. I have updated the code to only redact the credentials part of the settings object. PTAL @MarkDuckworth

@ehsannas ehsannas removed their request for review August 5, 2022 21:27
@ehsannas ehsannas added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 8, 2022
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 8, 2022
@ehsannas ehsannas added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Aug 8, 2022
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 8, 2022
@ehsannas ehsannas merged commit fa0ad66 into googleapis:main Aug 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: firestore Issues related to the googleapis/nodejs-firestore API. kokoro:force-run Add this label to force Kokoro to re-run the tests. size: xs Pull request size is extra small.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants